Q and A

Advantages and disadvantages

This system can hold usage log. It can register huge users. It can
control users by centralized database. It can confirm usage
periodically. More over, see the homepage.

What is the difference from the Web authentication?

This system can be used with the terminal without Web browser. But
it cannot be used via a router.

What is the difference from the authentication switch?

This system has lower cost and more flexibility, because it is
constructed with the open source software on standard FreeBSD machine.

I think that the standards such as 802.1x are the better solution.

Yes, it is true. But, this system can treat better about trouble of
the user setting and the terminal compatibility.

What environment is it suitable to?

It will be suitable for the campus network where users connect
various mobile terminals. If your network has public terminals
(used by unspecified users), prepare other authentication such as
Opengate. It is not recommended to use in the high security
network, because it bases on MAC address.

How many users is tolerated?

Except database capacity, there is no limit about
registration. The number of network usage depends on the
performance of FreeBSD machine working as a router / NAT.
Judging from the experience of Opengate, there is no problem on
usage of several hundreds.

Is the gateway overloaded? Is the load to inspect packets high?

As the address inspected is saved in cache, the packet from the same
terminal will be processed in few micro-seconds. After the cache
expiration, the system executes confirmation process including the
database retrieval. This will take about ten milli-seconds or more.
After the retrieval, the address is saved to the cache again.

The main load of the gateway is the processing of routing and firewall
in FreeBSD. But judging from experience of Opengate, it has no problem.
If ten thousands or more users are assumed, it is better to settle plural
gateways and divide the network to many subnets.

Is the database overloaded ?

The MAC registration table is accessed frequently. Then it is hold in memory cache.

The records in the log table is expired at 1 month.

The log table can be dropped to decrease the load. But the log display in upfdate page is stopped.

Software installation

We have the Opengate network. What should we add?

Install MySql client into the gateway. Then install the archive of
this site.

In addition, you should construct the management system, as the
normal Web server environment (an Apache,MySql database).

We do not use Opengate. What should we do from a zero?

At first, build the gateway according to the installation procedure
of Opengate. And then, install the archive of this site.

When you use only this software without Opengate, exclude the
installation of Opengate CGI.

Should the gateway and the management database be divided to the other
machines?

You can build all system on one machine.

Can I put all network under one gateway?

We recommend to divide the network to appropriate subnets. It can
reduce the load of the gateway. In addition, it is easy to treat
at the time of the trouble, as the gateway system cannot limit the
communication in the subnet under a gateway.

We installed it, but it cannot work.

At first, confirm independently that the related systems run
normally.

Confirm the syslog. Errors will be reflected on the log.

Do you install and execute with root privilege?

It can run on a console when you start (with root privilege) as
"opengatemd -c".

Raise the debug value in conf file and watch the log.

Address registration

The authentication for the MAC investigation page cannot pass.

Only administrators can enter this page. Confirm
administration users in conf file. Enter ID and the password of
administrators. There is the setting of the administrators
certification in the con file.

Cannot find the bringing terminal in the list on the MAC investigation
page.

Reload the page after accessing network with the bringing terminal.

What meanings are the coloring line and the * mark?

Coloring line means the candidate terminal.

The * line shows the already registered or using terminal. The
* line is not candidate, but it will be brought in without
understanding. It is refused to register.

What is the "?" mark appearing in the vendor column?

The vendor data is acquired from IEEE. It will recover, if you
rebuild the local database. Refer to the archive.

Can an user leave the MAC investigation page without closing the
network?

A closing timer counts down in the server side.

In the MAC registration page, what should I put as the device name?

Enter any name that the user can distinguish the device. But
the system refuses specific character codes including the kanji.

What is the e-mail address requested in the MAC registration page?

It is the destination of the expired warning email. It can be
changed by manual operation. If you set as the blank, no
mail is sent.

The default mail address shown in the MAC registration page is
strange.

Check the related items in the conf file.

The registration is refused as already registered, but t6he user
cannot use.

The terminal might be expired by time limit or by administrator
setting. If expired, user oneself can set it as available in
update page.

If an administrator want to set it as inactive, change the database
field directly. No web interface exists.

What should the user do, when a terminal is disposed or is passed to
another person?

The terminal is expired soon automatically.

The registration can only be updated by the previous user.

If it is deleted by the previous user, it can be registered by new
user.

The administrator can delete the database field directly, but there
is no Web interface.

An user want to register user terminal by oneself without bothering
the hand of the administrator.

It has been realized, but is used only for terminals having web
browser.

The administrator want to register a large number of machines in a
batch process.

It can execute with MySql script. The example is is in the
archive.

At registration, the log shows as exceeding registration count limit.

There is the upper limit for the number per 1 user. It can be
changed with the conf file.

More terminals can be registered with database direct manipulation.

At registration by onwer, the administrator want to restrict the
terminal type.

Set allowable HTTP-Agent pattern in conf file. If not set, all
terminal type can be registered.

Why twice authentications are needed before and after the address check CGI(opengatemchk.cgi)?

The use of address check CGI is restricted to the administrator.
The use of address registration CGI is restricted to the owner.
The twice authentication are for administrator and owner.

What is the difference between the page of address registration CGI (opengatemreg).cgi
and the page of own management CGI(opengatemown.cgi)?

Address registration CGI accepts transition only from address check CGI.
It can register the address passing the check of an administrator.
Own management CGI detects the address of the accessing terminal.
If the address is the registered one, it shows the update page, otherwise shows registration page.
It can register the address of the accessing terminal.

The network usage

An user cannot use, though the limit date is not reached.

If everybody cannot use network, it is a problem of the gateway
side.

Is the user connected to the correct access point?

Is the network setting of the terminal right?

Access to the update page and confirm the registration.

A authentication page of Opengate appears.

When refused or delayed, the authentication is forwarded to
Opengate. Try to load another page once.

An administrator want to stop the service.

When you put as "opengatemd -e" in route privilege, the daemon
terminates after closing network.

When put as "opengatemd -s", the daemon terminates without closing
network.

An administrator want to reload the daemon.

Enter "opengatemd -r" in route privilege. It is recommended to
perform reloading in cron regularly. The network continues the
opening situation.

An user cannot use the system at a specific place.

The gateway or access point for that place might be malfunction.

Be care that the system cannot use via a router.

An administrator want to manage users more easily.

It will be performed in the future. Or make your own
Interface, because the database application is not difficult.
The PhpMyAdmin is an alternative.

Address update

How to inform the URL of the update page to a user?

It is described in the expiration warning email. You should prepare
the link in management homepage.

An user cannot enter the update page.

Check the certification setting of the general user.

What is the difference of a stop and the deletion?

You can use it. if you "update" it later. Use this usually.
when you choose deletion. The terminal has to be registered to
use again.

When passing it to another person or disposing it, use deletion.

What is inactive mark "I"?

Use it, when a administrator wants to stop a specific terminal.
Switching of the flag needs administrator privilege. There is no
Web interface yet. Please treat the database directly.

An administrator do not want to use the expired warning email.

Remove cron setting. Or remove email setting in conf file.

An administrator want to modify the time or the number of times to
send the expired email.

There is the item in conf file. The setting is in grammar of
MySql.

An administrator want to modify the period to expiration.

There is the item in conf file also. Write it in grammar of
MySql. User expired without noticing an expired email. Usage
extension processing is possible before and after expiration.

What is the message as the update limit over?

This informs that the update count overflows the one day limit. The
limit can be changed in the conf file.

What is the difference between the page of address update CGI (opengatemup).cgi
and the page of own management CGI (opengatemown.cgi)?

Address update CGI shows a list of terminals registered by the authenticated user.
Own management CGI detects the address of the accessing terminal.
If the address is the registered one, it shows the update page, otherwise shows registration page.

Various settings

Can the same certification server be used for the administrator
certification and the general user certification?

It can be used except Shibboleth and Http-Basic.

An administrator want to deny specific users.

Set an inactive flag "I" in database field of the user
terminals. There is no Web interface for that setting.

Why the modification of conf file cannot be reflected to service?

There are two conf files [/etc/opengate/opengatemd.conf] and [/etc/opengate/opengatemmng.conf].
One is for daemon, and another is for management programs.

The change for management programs can reflect immediately, because programs are loaded each time.

The change for daemon cannot be reflected immediately, because the daemon settles long time.
Enter one of the following commands for reloading.

Former 2 commands are suitable when you don't want to stop service. But the reflection of change depends on the timing of session processing.
The last command is suitable when you want to reset all. The change reflects immediately, but sessions are interrupted.

[opengatemd -r]: Reload the daemon. The sessions continue to the reloaded daemon.

[opengatemd -s; opengatemd]: Stop the daemon, but the sessions are left untouched. Then a newly loaded daemon takes over the sessions left.

[opengatemd -e; opengatemd]: End the service and all of sessions close. Then a newly loaded daemon starts new sessions.

An administrator want to forbid using plural terminals at the same
time.

The system do not include this function.

An administrator want to divide log files for Opengate and this
system.

Change the syslog setting in conf file.

Can the firewall rule range for Opengate and this system overlap?

Yes, it is possible.

An administrator want to allow/deny a specific port or a site in
default.

Set the firewall rule properly.

An administrator want to set network printers usable in default.

Set it in firewall rule. Or register the address in the
database as a terminal without time limit.

An administrator want to deny the registration of terminals for open
use.

Register the terminals with inactive flag "I".

An administrator want to extend cache retention time to 1 day.

There are two cache. The extension for packet check cache is not
recommended. But the time for MAC DB cache can be extended to
one day or longer.

An administrator want to change the parameter value depending on the
access users.

Refer <ExtraSet> in configuration file.

An administrator needs no authentication, but wants to show a welcome
page including use policy and others.

We added splash only management in Ver.0.9.7. Please refer to
the documentation of opengatemown.

Error message

At loading the daemon, the logs shows that the database access is
not permitted.

Perhaps you run it as normal user. privilege Start the daemon
in root privilege.

At reloading, the syslog shows plural ends/starts message.What is
these?

If a daemon is started with reload option, it kills the previous
daemon and starts oneself. The info message is suppressed when
debug option in conf file is 0.

The log showed that the udp communication failed.

Confirm the conf files of the sender (registration/updating web) and
the receiver(daemon). In addition, confirm the path between two
by using "ping, nc (netcat)".

The log showed that the udp client is not reliable.

Register the client address to the conf file of the daemon.

The udp seems to arrive, but the firewall rule does not change for a
while.

When udp arrives, the system deletes the address from cache, but it
does not control session immediately. When a packet is detected
later, the system confirms the terminal again because of no cache.

Closing time in the log has delay.

The closing time means the time when no packet about the
terminal is detected for a long time.

In addition, by the logic of the judgment, it do not become a
constant delay.

The log informs that the version of the conf file is unmatched.

Some new setting items were increased in the conf file. Replace it
with new file.

The system seems malfunction.

Confirm the related systems independently.

Confirm the syslog and other log files. If you increase debug number
in conf file, more message are dumped to log.

The system runs on console when starting as "opengatemd -c" (require
root privilege).

The connection to MySQL database is disconnected frequently.

One reason may be the inflation of database size.

Delete old records to shrink the size. From Ver.1.1.0, old records are removed automaticcaly.

From Ver.1.1.2, recording/showing log by MySQL can be omitted to decrease load (if you want it, drop table opengatem.sessionmd).